#jinja2: trim_blocks:False
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
/**
 *
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-->

<configuration>
  <property>
    <name>hbase.rootdir</name>
    <value>hdfs://{{ groups.masters[0] }}.{{ CLUSTER_DOMAIN }}/hbase</value>
  </property>
  <property>
    <name>hbase.cluster.distributed</name>
    <value>true</value>
  </property>
  <property>
    <name>hbase.zookeeper.quorum</name>
    <value>{% for host in groups.zookeepers %}{{ host }}.{{ CLUSTER_DOMAIN }}{% if not loop.last %},{% endif %}{% endfor %}</value>
  </property>
  <property>
    <name>hbase.tmp.dir</name>
    <value>{{ HBASE_TEMP_DIR }}/hbase-${user.name}</value>
  </property>
  <property>
    <name>OFF-hbase.hlog.split.skip.errors</name>
    <value>true</value>
  </property>
  <property>
    <name>OFF-hbase.master.ui.fragmentation.enabled</name>
    <value>true</value>
  </property>
  <property>
    <name>OFF-hbase.bucketcache.combinedcache.enabled</name>
    <value>true</value>
  </property>
  <property>
    <name>hbase.bucketcache.ioengine</name>
    <value>offheap</value>
  </property>
  <property>
    <name>hbase.bucketcache.size</name>
    <value>1024</value>
  </property>
  <property>
    <name>hfile.block.cache.size</name>
    <value>0.2</value>
  </property>
  <!-- Phoenix related settings-->
  <property>
    <name>phoenix.schema.isNamespaceMappingEnabled</name>
    <value>true</value>
  </property>
  {% if SECURITY_ENABLED %}
  <!-- Security related settings -->
  <!-- Enable Kerberos authentication for backend processes -->
  <property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.regionserver.kerberos.principal</name>
    <value>hbase/_HOST@{{ KRB_REALM }}</value>
  </property>
  <property>
    <name>hbase.regionserver.keytab.file</name>
    <value>{{ KEYTAB_DIR }}/hbase.keytab</value>
  </property>
  <property>
    <name>hbase.master.kerberos.principal</name>
    <value>hbase/_HOST@{{ KRB_REALM }}</value>
  </property>
  <property>
    <name>hbase.master.keytab.file</name>
    <value>{{ KEYTAB_DIR }}/hbase.keytab</value>
  </property>
  <property>
    <!-- Enables HDFS client authz -->
    <name>hadoop.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <!-- Enables HBase ACLs -->
    <name>hbase.security.authorization</name>
    <value>true</value>
  </property>
  <!-- Enable SASL to ZooKeeper -->
  <property>
    <name>hbase.zookeeper.property.authProvider.1</name>
    <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
  </property>
  <!-- Enables service-level-authentication on RPC layer -->
  <property>
    <!-- MUST be set for impersonation to work! -->
    <name>hadoop.security.authorization</name>
    <value>true</value>
  </property>
  <!-- Enables SSL for the web based UIs (including gateway servers) -->
  <property>
    <name>hbase.ssl.enabled</name>
    <value>true</value>
  </property>

  <!-- Coprocessors for ACLs, Visibility Labels, and Tokens -->
  <property>
    <name>hbase.coprocessor.master.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController,
      org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
  </property>
  <property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController,
      org.apache.hadoop.hbase.security.visibility.VisibilityController,
      org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
      org.apache.hadoop.hbase.security.token.TokenProvider</value>
  </property>
  <property>
    <name>hbase.coprocessor.regionserver.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>
  <!-- Executable ACL for Coprocessor Endpoints -->
  <property>
    <name>hbase.security.exec.permission.checks</name>
    <value>true</value>
  </property>
  <property>
    <!-- Enable full cell-level ACL evaluation -->
    <name>hbase.security.access.early_out</name>
    <value>false</value>
  </property>
  <!-- Check auth on label for user before writes -->
  <property>
    <name>hbase.security.visibility.mutations.checkauth</name>
    <value>false</value>
  </property>
  <!-- Set secure bulk load path -->
  <property>
    <name>hbase.bulkload.staging.dir</name>
    <value>/tmp/hbase-staging</value>
  </property>

  <!-- HBase per CF encryption-->
  <property>
    <name>hbase.crypto.keyprovider</name>
    <value>org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider</value>
  </property>
  <property>
    <name>hbase.crypto.keyprovider.parameters</name>
    <value>jceks://{{ KEYSTORE_DIR }}/hbase-crypto.jks?password={{ HBASE_CRYPTO_PASSWORD }}</value>
  </property>
  <property>
    <!-- Required when the alias in the keystore differs from the HBase user -->
    <name>hbase.crypto.master.key.name</name>
    <value>hbase</value>
  </property>
  <property>
    <!-- For key rotation, the alias of the previous key -->
    <name>hbase.crypto.master.alternate.key.name</name>
    <value>hbase.old</value>
  </property>
  <!-- WAL encryption -->
  <property>
    <name>hbase.regionserver.hlog.reader.impl</name>
    <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader</value>
  </property>
  <property>
    <name>hbase.regionserver.hlog.writer.impl</name>
    <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter</value>
  </property>
  <property>
    <name>hbase.regionserver.wal.encryption</name>
    <value>true</value>
  </property>

  <!-- REST gateway related settings -->
  <!-- SSL -->
  <property>
    <name>hbase.rest.ssl.enabled</name>
    <value>true</value>
  </property>
  <property>
    <name>hbase.rest.ssl.keystore.store</name>
    <value>{{ KEYSTORE_DIR }}/{{ inventory_hostname}}.jks</value>
  </property>
  <property>
    <name>hbase.rest.ssl.keystore.password</name>
    <value>{{ SSL_STORE_PASSWORD }}</value>
  </property>
  <property>
    <name>hbase.rest.ssl.keystore.keypassword</name>
    <value>{{ SSL_STORE_PASSWORD }}</value>
  </property>
  <!-- Kerberos to HBase Servers-->
  <property>
    <name>hbase.rest.keytab.file</name>
    <value>{{ KEYTAB_DIR }}/hbase-rest.keytab</value>
  </property>
  <property>
    <name>hbase.rest.kerberos.principal</name>
    <value>hbase-rest/_HOST@{{ KRB_REALM }}</value>
  </property>
  <!-- SPNEGO for Client Access -->
  <property>
    <name>hbase.rest.authentication.type</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.rest.authentication.kerberos.principal</name>
    <value>HTTP/_HOST@{{ KRB_REALM }}</value>
  </property>
  <property>
    <name>hbase.rest.authentication.kerberos.keytab</name>
    <value>{{ KEYTAB_DIR }}/hbase-rest.keytab</value>
  </property>
  <!-- Impersonation -->
  <property>
    <name>hadoop.proxyuser.hbase-rest.groups</name>
    <value>hbasebook</value>
  </property>
  <property>
    <name>hadoop.proxyuser.hbase-rest.hosts</name>
    <value>master-1.hbase.book</value>
  </property>
  <property>
    <name>hbase.rest.support.proxyuser</name>
    <value>true</value>
  </property>

  <!-- Thrift gateway related settings -->
  <!-- QOP _must_ be set to enable SASL transport -->
  <property>
    <name>hbase.thrift.security.qop</name>
    <value>auth-conf</value>
  </property>
  <!-- Alternatively, set HTTP mode and TLS -->
  <property>
    <name>hbase.regionserver.thrift.http</name>
    <value>false</value>
  </property>
  <property>
    <!-- Only read when HTTP mode is set to true -->
    <name>hbase.thrift.ssl.enabled</name>
    <value>true</value>
  </property>
  <property>
    <!-- Only read when HTTP mode is set to true -->
    <name>hbase.thrift.ssl.keystore.store</name>
    <value>{{ KEYSTORE_DIR }}/{{ inventory_hostname}}.jks</value>
  </property>
  <property>
    <!-- Only read when HTTP mode is set to true -->
    <name>hbase.thrift.ssl.keystore.password</name>
    <value>{{ SSL_STORE_PASSWORD }}</value>
  </property>
  <property>
    <!-- Only read when HTTP mode is set to true -->
    <name>hbase.thrift.ssl.keystore.keypassword</name>
    <value>{{ SSL_STORE_PASSWORD }}</value>
  </property>
  <!-- Kerberos to HBase Servers-->
  <property>
    <name>hbase.thrift.keytab.file</name>
    <value>{{ KEYTAB_DIR }}/hbase-thrift.keytab</value>
  </property>
  <property>
    <name>hbase.thrift.kerberos.principal</name>
    <value>hbase-thrift/_HOST@{{ KRB_REALM }}</value>
  </property>
  <!-- Impersonation, must be configured -->
  <property>
    <name>hadoop.proxyuser.hbase-thrift.groups</name>
    <value>*</value>
  </property>
  <property>
    <name>hadoop.proxyuser.hbase-thrift.hosts</name>
    <value>*</value>
  </property>
  <property>
    <!-- Optional: Allow "doAs" parameter for Thrift HTTP mode -->
    <name>hbase.thrift.support.proxyuser</name>
    <value>true</value>
  </property>
  {%- endif %}
</configuration>
